pkcs11-tool: C_CreateObject failed

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

pkcs11-tool: C_CreateObject failed

Cornelius Kölbel
Hello List,

I generated a keypair on my smartcard and generated a CSR and a certificate.

Now I want to store the certificate on the smartcard.
I use a third party pkcs11 module

pkcs11-tool --module /usr/local/lib/libetpkcs11.s -w test.pem -y cert -l
--slot 0

But I get the following error:

error: PKCS11 function C_CreateObject failed: rv =
CKR_ATTRIBUTE_VALUE_INVALID (0x13)

Aborting.


I guess this problem is caused by the pkcs11-lib, so I will also ask at
this lib-development.
But do you have any ideas? I attached the certificate to this mail.

Kind regards
Cornelius

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11-tool: C_CreateObject failed

Cornelius Kölbel
Oh, I forgot the certificate.

The intersting thing is, that importing this certificate using mozilla
or firefox works fine..

Regards
Cornelius

Cornelius Kölbel wrote:

> Hello List,
>
> I generated a keypair on my smartcard and generated a CSR and a
> certificate.
>
> Now I want to store the certificate on the smartcard.
> I use a third party pkcs11 module
>
> pkcs11-tool --module /usr/local/lib/libetpkcs11.s -w test.pem -y cert
> -l --slot 0
>
> But I get the following error:
>
> error: PKCS11 function C_CreateObject failed: rv =
> CKR_ATTRIBUTE_VALUE_INVALID (0x13)
>
> Aborting.
>
>
> I guess this problem is caused by the pkcs11-lib, so I will also ask
> at this lib-development.
> But do you have any ideas? I attached the certificate to this mail.
>
> Kind regards
> Cornelius
>
>

--
Dipl.-Phys. Cornelius Kölbel (Security Consultant)
LSE Leading Security Experts GmbH
Postfach 100121, 64201 Darmstadt
fon        : +49 (0) 6151 / 9067-0 fax: - 299
             +49 (0) 561 / 31 66 797
mobil      : +49 (0) 160 / 9630 7089
http://www.lsexperts.de        mailto:[hidden email]

MAX21-Unternehmensgruppe

---------------------------------------------------
Aladdin eToken und Linux?
-> http://www.etokenonlinux.org
---------------------------------------------------
Besuchen Sie die LSE auch vom 24.-28.10. auf
der Systems:
Halle B2 Stand 120
---------------------------------------------------



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

test.pem (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11-tool: C_CreateObject failed

Stef Hoeben-2
In reply to this post by Cornelius Kölbel
Hi,

if you can build OpenSC yourself, you could play with the attributes
that are
given to C_CreateObject(). Just hack your way in write_object() in
pkcs11-tool.c
to remove things from cert_templ.

Hope that gives you the attribute where the /libetpkcs11 is barking on...

Cheers,
Stef


Cornelius Kölbel wrote:

> Hello List,
>
> I generated a keypair on my smartcard and generated a CSR and a
> certificate.
>
> Now I want to store the certificate on the smartcard.
> I use a third party pkcs11 module
>
> pkcs11-tool --module /usr/local/lib/libetpkcs11.s -w test.pem -y cert
> -l --slot 0
>
> But I get the following error:
>
> error: PKCS11 function C_CreateObject failed: rv =
> CKR_ATTRIBUTE_VALUE_INVALID (0x13)
>
> Aborting.
>
>
> I guess this problem is caused by the pkcs11-lib, so I will also ask
> at this lib-development.
> But do you have any ideas? I attached the certificate to this mail.
>
> Kind regards
> Cornelius
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11-tool: C_CreateObject failed

Nils Larsch
Stef Hoeben wrote:
> Hi,
>
> if you can build OpenSC yourself, you could play with the attributes
> that are
> given to C_CreateObject(). Just hack your way in write_object() in
> pkcs11-tool.c
> to remove things from cert_templ.
>
> Hope that gives you the attribute where the /libetpkcs11 is barking on...

or use pkcs11-spy to see what mozilla etc. send to the card and what
pkcs11-tool sends

Cheers,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11-tool: C_CreateObject failed

Cornelius Kölbel
Hello Nils,
I took
a look
at firefox.

Firefox wrote nearly everything:

CKA_TOKEN
CKA_CLASS
CKA_CERTIFICATE_TYPE
CKA_ID
CKA_LABEL
CKA_VALUE
CKA_ISSUER
CKA_SUBJECT
CKA_SERIAL_NUMBER

Regards
Cornelius

Nils Larsch wrote:

> Stef Hoeben wrote:
>
>> Hi,
>>
>> if you can build OpenSC yourself, you could play with the attributes
>> that are
>> given to C_CreateObject(). Just hack your way in write_object() in
>> pkcs11-tool.c
>> to remove things from cert_templ.
>>
>> Hope that gives you the attribute where the /libetpkcs11 is barking
>> on...
>
>
> or use pkcs11-spy to see what mozilla etc. send to the card and what
> pkcs11-tool sends
>
> Cheers,
> Nils


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: pkcs11-tool: C_CreateObject failed

Nils Larsch
Cornelius Kölbel wrote:

> Hello Nils,
> I took
> a look
> at firefox.
>
> Firefox wrote nearly everything:
>
> CKA_TOKEN
> CKA_CLASS
> CKA_CERTIFICATE_TYPE
> CKA_ID
> CKA_LABEL
> CKA_VALUE
> CKA_ISSUER
> CKA_SUBJECT
> CKA_SERIAL_NUMBER

Did you compared this with the attributes pkcs11-tool set
(sorry I don't know off-hand which fields it set) ?

Cheers,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user